SEC-1254: LogoutBeanDefinitionParser cannot leave 'logoutSuccessUrl' empty #1505

Closed
spring-issuemaster opened this Issue Sep 29, 2009 · 3 comments

1 participant

@spring-issuemaster

zhouyanming (Migrated from SEC-1254) said:

I have patched LogoutFilter before to use request.getHeader('Referer') for logoutSuccessUrl http://jira.springframework.org/browse/SEC-491
It need logoutSuccessUrl be empty to use such feature

please remove DEF_LOGOUT_SUCCESS_URL in LogoutBeanDefinitionParser leave it to LogoutFilter, LogoutFilter has default value "/"

@spring-issuemaster

Luke Taylor said:

The behaviour you describe no longer applies in the 3.0 codebase. The location is determined by the LogoutSuccessHandler. If you want to use the referer, rmove the element from the namespace and add a LogoutFilter which has a SimpleUrlLogoutSuccessHandler with the "referer" property set to "true".

@spring-issuemaster

Luke Taylor said:

Changing type and module. Not a bug - more a limitation of the namespace, which doesn't supoprt use of the referer as the destination.

@spring-issuemaster

Luke Taylor said:

I've added SEC-1291, to allow customization of the logout success handler, so you will be able to inject the required behaviour.

@spring-issuemaster spring-issuemaster added this to the 3.0.0.RC2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment